Month: February 2012

Great impromptu intro video to the Bro Security Network Analysis Framework at Shmoocon by one of my favorite security authors/ speakers Richard Bejtlich.

Bro is an amazing tool that gives you a great summary of what is going on in your network. It creates text log files of connections, protocols, communications, and whatever else it sees on the wire. Check it out, this is good stuff. And I know I have been on a Security Onion kick again, but guess what? It comes installed by default in the open-source Security Onion IDS .

Just surf to your nsm/bro/ directory and check out all the log information created for you.

Advanced threats are specifically made to bypass firewalls and intrusion detection systems, effectively killing defense in depth. So how do you battle these threats? Network Security Monitoring.

Several commercial and open source tools exist for Network Security Monitoring (NSM), so you will need to look around and find the one that works best for your needs. But nowadays you need a tool that records all the traffic coming in and out of your network and analyzes it for suspicious patterns or behaviors.

Security Onion is a great option for small to medium businesses (even home users) that need the power of NSM, but can’t afford a commercial solution. Security Onion comes pre-configured with a ton of intrusion and network security monitoring tools.

But for any NSM solution, you want one that:

Records all your traffic

Analyzes for suspicious behavior and patterns and warns you when they are detected

Provides complete packet captures

Provides an easy way to view and analyze captured packets

Keeps complete logs of all intrusions and suspicious behavior

Keeps a log of all websites visited, DNS lookups, ftp sessions, even chat and mail sessions.

Security Onion can do all of that and more. Plus you can have multiple sensors in multiple locations and have them all report back to a single Security Onion Install.

Why would you want multiple sensors? For any NSM install, you want to have a view of your network traffic at different locations in case the worst happens and you get compromised. You can place a sensor between your incoming data pipe and your main firewall. You can also place one between your firewall and Lan. That way you can see what was hitting your edge firewall and what made it through.

You can also place a sensor between the Lan switch and a single high priority machine. This way you can tell exactly what data was transferred to and from this machine in case of a breach. You need to analyze your network and see where the best places would be to institute monitoring.

Intruders will get in, it is just a fact of life now. The NSA came to this conclusion about network security in 2010. Debora Plunkett, NSA’s director of the U.S. Information Assurance Directorate said, “There’s no such thing as ‘secure’ any more. The most sophisticated adversaries are going to go unnoticed on our networks. We have to build our systems on the assumption that adversaries will get in. We have to, again, assume that all the components of our system are not safe, and make sure we’re adjusting accordingly.”

But you can monitor and hopefully catch them before the worse happens. Or in the event the worse happens, you will have a full forensics trail to follow to make sure that it doesn’t happen again.

The Hacktivist group Anonymous has released an intercepted FBI conference call between the FBI and numerous police agencies. Along with the audio clip, the group also released an internal FBI e-mail about the conference call on Pastebin.

The e-mail, titled “Anon-Lulz International Coordination Call”, appears to have been sent to numerous international police agencies. The Pastebin post sates the call would be held on Tuesday, January 17, 2012 and was to “discuss the on-going investigations related to Anonymous, Lulzsec, Antisec, and other associated splinter groups.”

According to the BBC, the FBI has confirmed the call was legitimate, and that they are hunting down those involved:

“The information was intended for law enforcement officers only and was illegally obtained. A criminal investigation is under way to identify and hold accountable those responsible.”

The BBC also mentions that the phone call was most likely not intercepted live, but was taken from an audio file:

“It was unclear how Anonymous had managed to obtain the recording but a lawyer for one of the suspects discussed told the BBC it appeared to have been taken as an audiofile from an intercepted email, rather than having been eavesdropped on.”

It is very concerning that Anonymous gained this e-mail and audio file. This does not mean though that Anonymous has gained access to internal FBI systems, they could have gained access to any of the international police organizations listed in the e-mail and pilfered the data from there.